3 minute read
Brexit and GDPR update – forget Deal or No Deal, it’s all about Adequacy now
Topics: Data Privacy
By Calligo on 1 May 2020
As the Brexit situation has evolved, we have updated our guidance to match.
This blog below is superceded by our latest information, available here.
We have also updated some of the links below to direct to our latest - more useful - resources.
The simple premise was that if there was a Deal, then the transitional period would begin, during which time the UK would have to seek “Adequacy” in order to continue bi-directional sharing of personal data with the EU. In our previous blog, we described as:
…a formal recognition that the country’s data privacy regime (the laws that govern the way in which personal data is treated within the country by the state and businesses and individuals within it) is suitable for EU personal data to be transferred to it, and offers at least similar protections to the regime that the EU member states are bound by.
However, if there had been a “No Deal” Brexit, then the UK would have become a third country without adequacy. Overnight, the UK would have become an illegitimate territory for EU personal data.
The message for businesses was to prepare accordingly and make up the shortfall by ensuring suitable measures were in place to assure data subjects and authorities of the safety of personal data – measures including Binding Corporate Rules, reviewing EU Representative appointments, and Standard Contractual Clauses (though see our latest Periodic Table blog for a note on how the validity and usefulness of these is currently being challenged).
Now, the conversation has shifted. No Deal carries a less than 1% likelihood. But this does not mean that everything is simpler. Because so much time has passed, the comfort that in the case of a Deal Brexit, the UK had enough time to secure adequacy has quite simply vanished.
The core, unanswered question for the UK’s data privacy environment is now: can the UK secure Adequacy in time? And what happens if it does not?
Based on this uncertainty, we have updated the Brexit & GDPR flowchart to focus on the Adequacy decision.
The new version is available here.
The Brexit transition period lasts until 31 December 2020. There had previously been an extension provision in place if applied for before July 2020, but the UK government has banned itself from requesting it – giving the UK a hard deadline of 11 months to secure adequacy. If the UK and the EU fail to come to an agreement, then the nightmare scenario of No Deal described above becomes reality: no legal framework and no ability to transfer personal data to and from the EU, placing all the burden on businesses to close the protective gap themselves.
The UK has 11 months to secure adequacy.
The fastest adequacy decision made to date was granted to Argentina in 18 months.
Adequacy will not be a formality.
There are concerns over UK surveillance and its handling of citizens’ personal data, especially as regards the powers that the UK government has under the Investigative Powers Act 2016. Plus, the UK has a close security relationship with Australia, often sharing personal information in both directions, which is a country that has notoriously been refused adequacy by the EU due to its own failings in its privacy regime. The EU will be keen to be reassured that it will not be creating a “back door” for EU personal data flowing into the Australian jurisdiction.
The UK has also created its own problems by not being forthcoming in sharing criminal records of foreign EU nationals with their home governments. This is angered EU security bodies and data authorities alike due to its procedural and transparency failings.
The UK’s Data Protection Act – its local manifestation of the EU’s GDPR – has meanwhile attracted criticism for not being in line with the EU’s Charter of Fundamental rights, particularly as regards the Act’s waiving of privacy rights in immigration control processes.
There are also some smaller procedural issues that will need to be resolved, mainly involving discrepancies between the law in Scotland versus that in England & Wales. For example, the age of criminal responsibility in Scotland is 12, while it is 10 in England & Wales. These will have to normalised before any adequacy can be granted.
And of course, the UK is not the only country seeking adequacy and will have to share the EU’s attention with South Korea, whose negotiations are well-progressed, and with Mexico and India whose processes are in the earlier stages.
You may ask why the UK government has not been more proactive and working in the background with the EU to secure adequacy in good time before the deadline. However, the EU has been reluctant to enter into meaningful discussions before the terms of Brexit are agreed, or at least “all but agreed” – which it famously has not been, and arguably still is not.
Adequacy is a vital part of businesses active in the UK being able to also operate in the EU. And earning it could be too tough a battle to win in 11 months. Businesses will therefore have to act appropriately to cover themselves – and fast.